Posted
by
CmdrTaco
on Thursday February 05, 2009 @10:43AM
from the you-gotta-be-kidding-me dept.

Futurepower(R) writes "CNN's use of software called Octoshape presents an incredibly abusive EULA. If you agree to the EULA, you agree that CNN can use your bandwidth, and that you will pay any costs. Also, you lose the right to monitor your own network traffic. You can't even use information collected by your own firewall. Quoting the EULA:
'You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.' "

Who gives a shit if it's valid? Is the no-monitoring part enforceable? They gonna install DRM on my machine that makes sure I'm not capturing packets? They gonna push that DRM out to my gateway to make sure I'm not capturing them there?

This is what happens when you let the lawyers draft the EULA without even consulting with the techies.....

You will, if you get sued over it. Obviously, the terms are ludicrous and nigh-unenforceable. This doesn't mean that they won't be enforced; just that they'll probably be enforced selectively to, say, silence critical reviews.

What would be even more interesting would be if person A accepts EULA on a machine M1, and uses machine M2 to gather packet information from M1. Is a person bound by the EULA on any computer he/she uses but accepting it on a single machine?

Also, there is another point. Slashdot editors change stories submitted to them seemingly at random, but retain the submitter's name.

The story as I wrote it [slashdot.org] mentions that Adobe is allowing Octoshape to use Adobe's Express Installer to install the software.

Basically, that means that if you allow rights to Adobe, you are also giving rights to anyone who pays Adobe. Adobe's updating software is very annoying, in my opinion, but this new situation takes the abusiveness to a much higher level. See the linked story, Watch a live video, share your PC with CNN [windowssecrets.com], at WindowsSecrets.com [windowssecrets.com].

The issue is privacy. Since they are "borrowing" user's bandwidth this exposes other users potentially personally identifying information to the first user. Now you can track other user's activities (within a fairly narrow scope) by using information that can be gathered on your own computer.

I suspect they had to put this in because of this potential. Would it fly if it was clearly exposed what was happening in EU countries? I doubt it. How about if they said:

By using the CNN service you will be receiving information about other user's online activities as they will be receiving information about your activities. This is an essential part of the service that cannot be disabled. By accepting this agreement you acknowledge that no part of your activities on the CNN web site or other related services may be private, secret, anonymous or in any way protected from every other user of the CNN web site or other related services.

The issue is privacy. Since they are "borrowing" user's bandwidth this exposes other users potentially personally identifying information to the first user.

Oh no. Is my computer broadcasting an IP address again?

Seriously, that's all the personally identifying info it should be sending out. And rather than trying to stop other people from looking at such info, they should do the EULA the opposite way. Simply inform each user that other users may be able to determine which content they are watching (which the

I think you missed the point, Lord Kronos. The issue is not what information is there. The issue is that agreeing to the EULA means that it is illegal to read your own firewall logs. Maybe they would never prosecute, but maybe they would install software to prove you are looking at your logs. If they prosecuted, maybe you would win, after five years and tens of thousands of dollars in legal fees.

No, I don't think I missed any point, but I think you missed mine? Why did they add this clause to the EULA? You think they did it to stop you from looking at your firewall logs? Huh? What do they have to gain from that?

cdrguru made a relevant point. The most likely explanation for why they did this was to "protect" the privacy of their other users, since this is something like a bittorrent application. I was simply pointing out that since they can't actually protect anything, they should have just notified users of the shared info rather than pretending like they can legalese such shared info out of existence.

I also was not saying you shouldn't worry about the EULA or anything. I was saying why their approach to setting up the EULA was backwards.

Too bad we don't have methods of encryption that could work around that. It would never be perfect, but it's a lot better than a bad EULA and is already protected under the DMCA (which is retarded as well, but there you go).

I actually think your wording would be better and more honest. Add to that something saying that by using the service you are agreeing not to use information that may be available to you regarding other users' activities for nefarious purposes would be good. Naive, maybe, but better than what I see here.

"Borrowing" implies they give it back after they're done using it. There is no such thing as "borrowing" bandwidth. They are "using" bandwidth, other people's bandwidth, to deliver their content without having to foot the bill.

Now I'm all for P2P and decentralized communities, but CNN does not fit the description. They are a corporate entity encroaching on other people's property.

If they just used BitTorrent to deliver streams, no problem, I applaud that. Maybe multicast would be better for some streams, but whatever. If it's really a problem, I can limit my upload, or block them from uploading at all.

However, when their EULA prevents me from reading my own logs (much less any of the above shaping), that's when I have a problem.

Given they specifically mentioned firewalls and not using/distributing the information, they should be aware that no DRM on the machine itself is going to work.

Another topic would be a network with firewall/monitoring systems run by a non-agreeing party. Let's say I'm running a coffeshop that offer free wireless. Customer A comes in with said CNN program installed. Not having agreed to the terms of the EULA, I'm free to analyze the heck out of the stream.

Who gives a shit if it's valid? Is the no-monitoring part enforceable? They gonna install DRM on my machine that makes sure I'm not capturing packets? They gonna push that DRM out to my gateway to make sure I'm not capturing them there?

This is what happens when you let the lawyers draft the EULA without even consulting with the techies.....

What are you talking about? It seems pretty self explanatory.

1. They are using a Bittorrent type protocol for some reason or other. P2P.2. They don't want to get sued when some twit on a pay as you go Internet connection runs up a huge bill, presumably after leaving the client open (perhaps even overnight). This is the same reason MMORPG boxes say an Internet Connection is required and that yes, you have to pay the ISP bill, not Turbine/Sony/Blizzard/etc.3. They don't want you sniffing the IP addresse

>>>Who gives a shit if it's valid? Is the no-monitoring part enforceable?

No it's not enforceable, because it's invalid.;-) Yes I went-round in a circle, but let me back that up with a Supreme Court ruling, which invalidated Paypal's EULA back in 2006, and ultimately led Paypal o hand-out $50 or $200 refunds to its customers. The Justices determined that consumers can not sign-away their rights, and therefore large sections of the EULA were declared invalid/illegal. I suspect if the justices reviewed CNN's EULA, large portions of it would also be declared invalid because "citizens can not sign away their rights as protected by law".

It's your bandwidth. It's your computer. And it's your home. You have a right to monitor what passes into & out of your own home, and no EULA can override that legally-protected right. Therefore if I ever use CNN, I'll just keep running my bandwidth meter and counting how many megabytes I used today. Screw em.

Yes. The US Legal system believes that they are valid. Does anyone else matter? I know its "common knowledge" on slashdot that they aren't valid, but find one US case that says they aren't valid. There are many that say they are...

Actually the US case law is inconsistent and have only ruled on the validity specific EULAs not about them in general. There have been cases where EULAs have been ruled enforceable and valid and others to the contrary. So your statement is actually misleading.

I know its "common knowledge" on slashdot that they aren't valid, but find one US case that says they aren't valid. There are many that say they are...

In this case, the U.S. Court of Appeals for the Third Circuit held that a EULA disclaimer waiving all express and implied warranties, printed on the outside of the box, was not binding.

This post is wrongly moderated. It is not informative. It is misinformative, or uninformative at best. The argument that the recognition of particular EULAs is distinct from recognition of the validity of EULAs "in general" betrays an ignorance of the judiciary and of contract law. This is simply not the way that the legal system works; courts must rule on an actual case or controversy and are not permitted to announce "general" rules of law. Furthermore, Step-Saver is anachronistic and the Third Circuit is relatively unpersuasive. In fact, there are NO major legal markets and NO major software companies within the Third Circuit's jurisdiction. ProCD v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996), however, has higher persuasive authority because it is (a) newer, (b) out of a major circuit, (c) written by an enormously influential appellate judge. In addition, it is the law in the entirety of the Seventh Circuit, which includes Chicago. Others may point to Klocek v. Gateway, 104 F. Supp.3d 1332 (D. Kan. 2000), but Klocek is a district court case, and therefore has no precedential value beyond its persuasiveness, which is in turn less than that of ProCD.

Trial courts don't make law. The only U.S. Circuit Court of Appeals cases on point hold, unanimously, that EULAs are enforceable. The law is relatively clear here, and is unlikely to change unless and until the Ninth Circuit or the Supreme Court take up the issue. I'm sorry, but you're just wrong.

Only if it can be proven that both parties to the contract agreed to the contract. If you set up an agreement with a company over the phone, your recorded voice proves it's you. When you take out a loan your signature proves you agreed to it.

With a clickthrough EULA there is no proof. When I install software on someone else's machine, and I click the EULA, how can they be held to it? If the EULA is on the box, how can they prove who opened the box?

I'm fairly certain that doesn't matter... You can sign a rental contract for an apartment without having read it. You're still legally bound to it. You signed it. Ignorance, especially willful ignorance, is not an excuse for breaking a contract.

So for free services like this, exactly what consideration am I putting up? They're giving me software/media/etc., but I'm not giving them anything. I'm pretty sure mutual consideration is one of the required elements of a contract -- am I missing something here?

So for free services like this, exactly what consideration am I putting up? They're giving me software/media/etc., but I'm not giving them anything. I'm pretty sure mutual consideration is one of the required elements of a contract -- am I missing something here?

CNN is putting up a website. Web sites are supposed to be accessable. What did I have to give up to read your post, to which you own copyright? To have a EULA for web content is antisocial at best.

Imagine putting a dollar bill in an envelope and writing a EULA for taking the free dollar on the envelope. Would you seriously expect that anyone would respect that EULA? Well, that's what CNN did, and the fact that they expect anyone to respect their EULA shows that they're not exactly living in reality.

I'm sorry what? Last time I checked what the website was supposed to be was up to the owner to decide, and plenty of owners have decided that accessibility at all costs isn't what they want.

To have a EULA for web content is antisocial at best.

Practically every website with any form of registered users has a user agreement, even if it is just to cover the admin's ass with regards to young children and membership. Regardless of whether an EULA is really enforceable or n

Last time I checked what the website was supposed to be was up to the owner to decide

And last time I checked if you can access a site, you can access it. A site owner can no more say "you can only access this site if" any more than a book publisher can tell you you can't resell the book or rip off the cover (which publishers have tried to do).

If you don't want your work seen, don't put it on the internet. It's up to the owner to decide what to post, NOT how I may or may not access it.

Practically every website with any form of registered users has a user agreement

Half of all married people commit adultery, too. That doesn't make it right. Antisocial behavior is antisocial behavior no matter how many people practice it.

With a clickthrough EULA there is no proof. When I install software on someone else's machine, and I click the EULA, how can they be held to it? If the EULA is on the box, how can they prove who opened the box?

I think this issue recently arose with some user writing bots for an online game. The problem is, if you don't agree to the EULA, then (ostensibly) you haven't met the copyright owner's terms for using their work. And thus, using the service/software/whatever is a violation of copyright law at that point.

A copyright owner doesn't have the right to issue terms of use, at least not in the US. The only thing you, as a copyright holder, can do is to keep me from making and distributing copies. Your copyright gives you no further rights than that.

A copyright owner doesn't have the right to issue terms of use, at least not in the US. The only thing you, as a copyright holder, can do is to keep me from making and distributing copies. Your copyright gives you no further rights than that.

I assume that terms of use can be a condition for them granting you a license to use that work. Isn't that the whole theory on which software EULAs rest?

There are no terms of use for a hardbound book. No publisher can say on the cover "by opening this book I agree to...".

Licenses aren't for end-users, they are for publishers. If I buy a copy of Garage, Inc (with its Free Speech for the Dumb cut), I can do anything with it I damned well please short of distributing copies (or, since they have the DMCA, cracking its DRM if it has any).

And, case in point, an end-user may not be signing away their own rights here. If a user at my company installs this software, there's no way they can sign away _my_ rights as the systems administrator to monitor traffic. Their machine is not their property, and management of network resources is not their responsibility.

Clauses in contracts entered into by click through may be binding and enforceable. You have, by clicking through, entered into the contract. So the question is, whether there is anything special about such contracts, and also, which clauses, even if they occur in contracts validly entered into, may not be enforceable.

All click through contracts are contracts of adhesion. That is they are take it or leave it contracts. You will mostly consent to

Except that that goes back to a situation we discussed in business law classes. Take the case where you've paid the seller for the goods, he's accepted your payment, and all that's left is for him to actually deliver the goods. If the goods are still in his possession, say on his loading dock, and he won't give you access to them, you have to go through the authorities to get them (or sue him for non-delivery, demanding your payment back). But if he's released the goods into your possession but is preventing your access, eg. he's shipped them to you but the shipping container's sealed with locks and he won't give you the keys, being owner and in possession of the goods you're allowed to call a locksmith to remove the locks and gain access to your property. You can't unduly damage the seller's property in the process, but you aren't helpless.

Applying that reasoning to the case where the seller delivers the goods sealed with a piece of tape saying "By breaking this seal you agree to additional terms contained inside.", breaking that tape would be legally meaningless. You own the goods, the seller has delivered the goods into your possession, the seller has no more legal right to demand agreement to terms regarding your property.

Another analogous situation: you pay for your groceries, take your bags and head to the door. On the way, a supermarket employee stops you and asks you to complete a survey. You refuse and he says "I'm sorry, we can't let you leave with your groceries until you do.". Not only can you ignore his demand, if he tries to stop you you can call the cops and have him arrested for unlawful restraint.

Which all comes to the question: if the seller has accepted your payment and delivered the software into your possession, does he have any legal right to demand you agree to additional terms at all? If he doesn't, what gives any legal force to the idea that doing what's neccesary for you to gain access to your goods constitutes agreement to a demand the seller has no legal right to make?

I'm on Linux, and as a test, I just watched some [boring] live video on CNN:
1. CNN did not try to install a P2P application on my PC
2. I was not offered any EULA
3. My upstream data traffic did not change
Obviously, CNN hates Linux. Good news!

OK, then. Install it on your machine (and agree to the EULA, if you wish), and then plug your machine in to my network. I certainly didn't agree to the EULA, so I can and will make use of that information.

What happens if you replace the EULA with your own terms before installing, and therefore never agree to anything they said at all? It occurs to me that the agreement not to modify the software is actually in the EULA, so what are they going to do about it?

CNN and Adobe executives put a lot of thought into that software. They sat around at a 3-hour lunch drinking, talking about their million-dollar salaries not being enough, making rude remarks to the waitress, and wondering "How can we sink our companies, fast?"

I usually pay for the bandwith I use on torrent both download and upload, if I don't want to use it I'll shut it down, it's that strange that cnn wants to play on the safe side so that no wacko try to bill them for the upload they make?
As for the rest I see it as 'you cannot use any of this information for selling or using against us'...

I have Little Snitch on my mac and noticed all the OUTGOING bandwidth being used while watching their video stream. After I figured out what was going on, I went to MSNBC instead. The quality is great at CNN and the idea is decent, but unless I read the EULA (which I didn't beforehand), I wouldn't know my contribution to the cloud. My employer monitors outgoing bandwidth usage and I could have been in trouble for high flows if I would have watched the whole thing. Being at a university, we have a large pipe, but I think I needed to be asked first a little more explicitly if they could use it.

Wouldn't something like this be required because the EU has laws against tracking IP and content.
Also, you wouldn't want someone to try and inject alternative data in the shared file.
If you install a P2P program of course you have to let them use your bandwidth, and according to the article, it stops sharing shortly after you stop watching.
I'm all for making sure companies aren't taking advantage of people, but isn't P2P for video a good thing?

1. P2P Video is the best way to scale video feeds to tens or hundreds of thousands of viewers.
2. Because of how P2P works, it is unavoidable that you get direct IP addresses of other video watchers.
3. Legal language is necessary just to prevent (or make less inviting) outside agencies or users from spying, collecting IP addresses, and otherwise abusing all the other users of their P2P network. Isn't this a good thing for privacy? Would you rather grant every person/agency on the internet full permission

3. Legal language is necessary just to prevent (or make less inviting) outside agencies or users from spying, collecting IP addresses, and otherwise abusing all the other users of their P2P network. Isn't this a good thing for privacy?

No, it's misleading. No privacy is ensured because of some ckick-through legalese.

Would you rather grant every person/agency on the internet full permission to abuse their video customers instead?

Say it otherwise: what's the risk for the Internet user? Maybe these risks should have been clearly indicated within a notice before the installation. In all cases, those risks are still there.

Sorry, but multicast is the best way to scale video feeds to an unlimited number of viewers.

P2p is only marginally better at scaling because you can decentralize the connections. There is still a 1-to-1 relationship between the number of viewers and the number of data streams on the wire.

P2p gives you the same amount of traffic, in other words, just not all coming from one source. It's easy to imagine how that would be less efficient, since you're setting up many more connections per stream in order to disc

Sorry for a newbie like question but anyone know how to uninstall this Octoshape plugin?
I mindlessly clicked "agree" in a fleeting effort to watch live video on that plane that crashed into the Hudson river on one of my machines. For all I know I just signed away rights to my kidney and left "testie" too.
Any info. would be appreciated...
Cheers.

Imagine you didn't agree to these conditions. How do you expect CNN to deliver the service?

If you agree to the EULA, you agree that CNN can use your bandwidth, and that you will pay any costs.

Its a P2P service - so if you use it, you are sharing your bandwidth with other users. Or, top put it another way, CNN are using your bandwidth to deliver their material to their customers.

So if some joker leaves it running in his hotel room and gets charged $1 per megabyte, he shouldn't sue CNN. Sounds fair.

You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software.

So if I collected data about the other CNN customers who are sharing my bandwidth via the P2P service, their IP addresses, what they were watching, and when and published it, that would be OK, would it?

We take these things as read when we use P2P, but obviously some lawyer at CNN has done a bit of due dilligence and covered his arse in case some troll comes along and sues them.

The fuss about this is a bit like the scare stories photo-sharing sites requiring permission to reproduce/modify/sub license your photos: they need these permissions to run their service.

So if I collected data about the other CNN customers who are sharing my bandwidth via the P2P service, their IP addresses, what they were watching, and when and published it, that would be OK, would it?

Why would it not be OK? Perhaps not morally justifiable, but it's no different from publishing web-server logs or putting a live webcam of your house on the internet. It's a legal way around something that's technically impossible to stop, and something which just happens to be an accepted part of every day life in the real-world.

The consent is implied when the other person accesses your computer, knowingly or unknowingly, that it may be logged and may well pop up somewhere in future, so why should this pro

Yes, but they didn't know they were accessing your computer. They thought they were accessing CNN. If they complain, they're going to complain to CNN, not you. The program they ran was branded "CNN" not "John Doe's PC".

This is defensive ass-covering from a big, deep-pocketed company which would be an attractive target for legal trolls. Nobody is going to be bothered to start a $20-million class action suit against your webcam.

Since the EULA requires me to be hands-off, is CNN then going to assume legal responsibility for my system. In the event that a vulnerability is exposed in their P2P software, are they responsible for patch management and compliancy assurance? Should my system become compromised and, say, used as a distribution point for kiddie porn because of their EULA requirements, can I assume their legal council will represent me? How about we turn this around on them. They've removed all responsibility for security from the user, so demand it from them.

Nope. You're completely liable for things outside of your control. This is thanks to the Because Act. This little known piece of international legislation is, in fact, at the heart of many of the most prominent legal actions in the world today. Much loved by the RIAA, MPAA and the US due to it's implicit allowal for random search and seizure, legal 'fishing trips', non-judicially warranted wire taps, and it's espousal of 'guilty until proven guilty' legislature; the entire text of the Because Act has been reproduced below:

All it says is, while you may see exactly what's going on through means available to you like firewalls and antivirus programs, you are not allowed to look too hard through it because that's tantamount to working out how our P2P protocol works.

I guess, you're not going to see a WireShark module for Octoshape protocol any time soon. Or maybe you will..

They have the right idea I suppose.
Why not use P2P if you can get the video faster?
I guess they want to protect themselves from privacy issues.
People that don't care about what's in the EULA probably don't want to know anything about IP traffic - they are the majority.
The people who do know about IP traffic and do care about the EULA (./ers) are the minority, and CNN can probably give a shit what we think of the EULA

Because then we can attach it to every P2P client on earth and it'd mean the RIAA was no longer allowed to collect any information on the files being shared whilst at the same time you could still just share CNN's content, win win!